Role-Based Access Control
Workspace users can use defined base roles and enterprise custom roles with permission-key assignments for more granular access governance.
OPSKEY CRM TRUST CENTER
Data-security controls explained clearly.
This page describes the application-level controls currently built into OpsKey CRM. It is written to help organisations understand the security model before creating a workspace or requesting a commercial onboarding discussion.
SECURITY SCOPE
Application-level protection for structured business operations.
OpsKey CRM is designed as a multi-workspace SaaS platform. Each subscribing organisation receives a separate workspace context. Customer, order, payment, licence, document, report and support-ticket operations are queried using the relevant workspace identifier so records can be handled within the subscribing organisation's operating context.
Security also depends on how the platform is deployed and operated. The hosting account, HTTPS configuration, database server, server updates, backups, email configuration and administrator practices must be maintained responsibly by the platform operator.
Built-in application controls
Workspace-Level Data Separation
Customer-facing operational records are maintained with a workspace identifier and retrieved within the active workspace context.
Password, Verification & MFA
User passwords are hashed using bcrypt. The enterprise layer adds email verification, time-limited password reset links and optional authenticator-app MFA.
Session Protection
Authenticated sessions use HTTP-only cookies. Secure cookies apply in production mode, SameSite protection is configured and users can review or revoke tracked sessions.
CSRF Protection
State-changing authenticated form submissions are checked using session-based CSRF verification, including validated multipart upload workflows.
Login & Signup Rate Limiting
Rate limits are applied to login and signup requests to reduce repeated automated attempts.
HTTP Security Headers
The application uses security-header middleware and does not expose the default Express-powered-by header.
Audit, Download & Security Logs
Important actions, security events and file downloads can be recorded for operational review and accountability.
Privacy Operations
A public privacy-request form and internal request register support access, correction, deletion, restriction, portability and workspace-closure workflows.
Deployment & Continuity Records
Data-region, retention, incident and backup-register records help document operational responsibilities for larger deployments.
Uploaded-file handling
Private business files are written to a configurable private storage directory rather than the public website-assets directory. Upload endpoints use accepted file-type lists and file-size limits according to the relevant workflow.
| Workflow | Accepted formats | Configured limit |
|---|---|---|
| Customer and order attachments | PDF, PNG, JPG, DOCX, XLSX | 10 MB |
| Subscription payment proof | PDF, PNG, JPG | 8 MB |
| DOCX template upload | DOCX | 5 MB |
| Company logo upload | PNG, JPG | 3 MB |
| Support-ticket attachments | PDF, PNG, JPG | 5 MB |
Deployment and operator responsibilities
The following controls must be managed correctly at hosting and operational level:
- Enable and maintain HTTPS for the live domain.
- Keep the hosting account, database credentials and environment variables private.
- Use a strong private session secret and strong administrator passwords.
- Maintain server, Node.js and dependency updates after review and testing.
- Schedule backups for the database, the private-storage directory and environment configuration.
- Limit access to the hosting panel and database-management tools.
- Review user accounts, role assignments and audit logs periodically.
Important limitations and honest disclosures
No unsupported certification claims
Unless separately confirmed in writing, OpsKey CRM is not presented as independently penetration-tested, ISO-certified, SOC 2-certified, PCI DSS-certified or compliant with a specific regulated-industry framework.
The enterprise foundation provides application-level controls for business workflow management, including optional authenticator MFA, security-event records, session revocation, privacy operations, incident tracking, API keys, webhooks and SCIM provisioning foundations. Organisations with regulatory, contractual or high-risk data requirements should still complete their own technical, legal and compliance review. Hosting-level encryption-at-rest, production SSO activation, offsite backup destinations, RPO, RTO and binding service levels must be agreed for the selected deployment.
Security and onboarding questions
For a commercial discussion, deployment clarification or a security-questionnaire request, contact the KeyHub Pro sales team.